NationStates Jolt Archive

My daughter-in-law just sent me the following email. You might want to read it and take appropriate steps.

WARNING...New Credit Card Scam.

Note, the callers do not ask for your card number; they already have
it. This information is worth reading. By understanding how the VISA &
MasterCard Telephone Credit Card Scam works, you'll be better prepared
to protect yourself. One of our employees was called on Wednesday
from "VISA", and I was called on Thursday from "MasterCard".

The scam works like this: Person calling says, "This is (name), and
I'm calling from the Security and Fraud Department at VISA. My Badge
number is 12460 Your card has been flagged for an unusual purchase
pattern, and I'm calling to verify. This would be on your VISA card
which was issued by (name of bank). Did you purchase an
Anti-Telemarketing Device for $497.99 from a Marketing company based
in Arizona?" When you say "No", the caller continues with, "Then we
will be issuing a credit to your account. This is a company we have
been watching and the charges range from $297 to $497, just under the
$500 purchase pattern that flags most cards. Before your next
statement, the credit will be sent to (gives you your address), is
that correct?"

You say "yes". The caller continues - "I will be starting a Fraud
investigation. If you have any questions, you should call the 1- 800
number listed on the back of your card (1-800-VISA) and ask for
Security.

You will need to refer to this Control Number. The caller then gives
you a 6 digit number. "Do you need me to read it again?" Here's the
IMPORTANT part on how the scam works. The caller then says, "I need to
verify you are in possession of your card". He'll ask you to "turn
your card over and look for some numbers". There are 7 numbers; the
first 4 are part of your card number, the next 3 are the security
Numbers' that verify you are the possessor of the card. These are the
numbers you sometimes use to make Internet purchases to prove you have
the card. The caller will ask you to read the 3 numbers to him. After
you tell the caller the 3 numbers, he'll say, "That is correct, I just
needed to verify that the card has not been lost or stolen, and that
you still have your card. Do you have any other questions?" After you
say No, the caller then thanks you and states, "Don't hesitate to call
back if you do", and hangs up.

You actually say very little, and they never ask for or tell you the
Card number. But after we were called on Wednesday, we called back
within 20 minutes to ask a question. Are we glad we did! The REAL VISA
Security Department told us it was a scam and in the last 15 minutes a
new purchase of $497.99 was charged to our card.

Long story made short - we made a real fraud report and closed the
VISA account. VISA is reissuing us a new number. What the scammers
want is the 3-digit PIN number on the back of the card. Don't give it
to them. Instead, tell them you'll call VISA or Master card directly
for verification of their conversation. The real VISA told us that
they will never ask for anything on the card as they already know the
information since they issued the card! If you give the scammers your
3 Digit PIN Number, you think you're receiving a credit. However,by
the time you get your statement you'll see charges for purchases
you=20 didn't make, and by then it's almost to late and/or more
difficult to actually file a fraud report.

What makes this more remarkable is that on Thursday, I got a call from
a "Jason Richardson of MasterCard" with a word-for-word repeat of the
VISA scam.This time I didn't let him finish. I hung up! We filed a
police report, as instructed by VISA. The police said they are taking
several of these reports daily!

They also urged us to tell everybody we know that this scam is happening.

Please pass this on to all your family and friends. By informing each
other,we protect each other.

I don't understand how this is done, I shop often online with my credit card and the one thing you must know to use your card is the month and year of the expiration date of the card. Without this information no one can use your card. So, perhaps this letter about this scam is nothing more than a hoax?

Cool.

All the more reason why I use my credit card only for emergencies. I know there's nothing on it, and I never give out any information on it unless I'm the one who called the company.

I don't understand how this is done, I shop often online with my credit card and the one thing you must know to use your card is the month and year of the expiration date of the card. Without this information no one can use your card. So, perhaps this letter about this scam is nothing more than a hoax?
These chain emails usually are. I hate them with a passion. We had this stupid one recently, sent out on our network by someone who didn't check her facts first...it was that urban myth one about gang members driving at night with no headlights on, and then killing the first person who flicked their beams to warn them...I live in a very rural area, with little traffic, and no real gang activity outside of 11 year olds hanging out at the CO-OP. What a stupid email...and dumb people got all upset about it. You'd think they'd realise...hey, we haven't heard of any shooting deaths (beside the one that claimed the lives of four RCMP officers recently), so maybe this is crap?

Others can get your credit card number by a variety of means, but possession of the verifying numbers is considered proof by merchants and banks that you hold the card in your hand.

One of my clients is a credit card fraud investigator, I'll ask him next time I see him about this scam. Has the ring of truth to me.

What concerns me is how these crooks get our credit card numbers in the first place...

Essentially, if you didn't make the call, don't give out information a caller asks for.

What concerns me is how these crooks get our credit card numbers in the first place...

Essentially, if you didn't make the call, don't give out information a caller asks for.

hundreds of thousands get hacked on internet, can get them from store receipt copies, too.

Credit Cards are stupid anyway. If you can't pay upfront, you probably don't need it.

These chain emails usually are. I hate them with a passion. We had this stupid one recently, sent out on our network by someone who didn't check her facts first...it was that urban myth one about gang members driving at night with no headlights on, and then killing the first person who flicked their beams to warn them...I live in a very rural area, with little traffic, and no real gang activity outside of 11 year olds hanging out at the CO-OP. What a stupid email...and dumb people got all upset about it. You'd think they'd realise...hey, we haven't heard of any shooting deaths (beside the one that claimed the lives of four RCMP officers recently), so maybe this is crap?
Yeah ... except for one thing ... the email is from my DAUGHTER-IN-LAW! HELLO!!!!!!

And, just to clarify even further, so that there is NO misunderstanding, the email is original with her ... she was the one who was scammed. My son told me about this as well, and I've never known my daughter-in-law to lie to me about anything. Jeeze.

I don't understand how this is done, I shop often online with my credit card and the one thing you must know to use your card is the month and year of the expiration date of the card. Without this information no one can use your card. So, perhaps this letter about this scam is nothing more than a hoax?
Jesus Stephie. If I said it was raining you would run outside with your face skyward.

Yeah ... my daughter-in-law hoaxed me. She lied to me just for the hell of it.

Credit Cards are stupid anyway. If you can't pay upfront, you probably don't need it.

Like cars or houses or college. Who needs those?

The number of e-commerce sites that now request the "three security digits" from the back of the card is... well, good. At least until you realise that now these digits are no longer privalidged information that only you know.

I've not been a long-enough user of credit cards to know for certain, but I expect the expiry date was a similar "prove to us that you are the owner of the card" check, and now is as common knowledge (to those that intercept/store legitimate information) as the whole card number/name and (now) security digits.

What I have said for ages is that what you need is (say) a 5x5 square of characters (alphanumeric, perhaps minus one or both 'conflict' characters from such pairs as '0' and 'O', '1' and 'I', '6' and 'G') for which a verification requires three correct matches from randomly-chosen positions on the grid. Which are demanded would be from the secure verification mechanism at the card-issuer (or certified main agent handling that trusted function) so that it is managed so that a vendor is never asked for the same digits as before, and thus cannot provide the full issuer/agent-requested information at a later time, in the attempt to make an unauthorised and spurious 'card not present' transaction.

(Yes, I know that this only gives 23 different transactions, at the most, before even a "one new digit each time" has given a dedicated recorder all the information he needs to make a replay on his own, but I never said this was a perfect system... ;) Perhaps a single vendor should instead never be asked all the positions, so that trying to pass a fraudlent transaction through a 3rd party runs the risk of being unable to provide details never revealed to the crook (or crook-infiltrated) business.)

The real secure way would be to use the smart-chips to hold a lengthy 'one-time-pad' array of random digits (how many kb/mb can a smart-card hold in volotile memory?) imprinted (and locally retained) by the issuer, the usage of which is ticked off (and marked unusable for future use, by an internal and protected read-and-provide internal processing mechanism acting as intermediary to the external card reader) each time a transaction is made. Support could be made with direct-conection-to-authority systems at vendor or (for the serious e-purchaser, home-PC peripheral) or more portable (and cheap) readers that either store each interaction for later connection (which can be further combined/encapsulated within a PIN, appropriate half of a public/private key pair and timestamp) or indeed just display the digits (including index position and encapsulated as with the prior) required to manually fill in the paperwork/type into non-compatible electronic systems.

Well, you get the idea for that last one. Though it would need some additional development (and paranoid thinking), most cards these days, in my part of the world, now have a chip for chip-and-PIN and so the infrastructure (at least at the sales-floor ePOS locations) is there to be improved upon at the firmware level without much of a hardware change... Though upgrading web-purchasing/telesales methods would require further hardware at the card end that currently doesn't exist in a majority of cases...

[edit: No, the secure way to use the capabilities of a smart-chip device with private memory and integrated I/O interface which securely interogates a private memory area would merely be to have a lengthy internal private-key (shared only with the card issuer) which is used to encapsulate the transaction ID and further encapsulated, with timestamp, by relevant public/private key-pairs generated by the card reader, vendor and (where on-line verification is being performed) a given string from the master verifier system, all of which returns a data object that is a multi-layer validatable encryption that, when unwrapped) is an unfakeable of record of who is buying, who is selling (possibly even which saleseperson was sat at the till) and everything else you might wish for... Same problems for 'card not present' situations, of course, with the same solutions...]

[edit2: Or similar... There's several different ways of doing it, and what to encrypt within what else and in what fashion... I merely hypothesise one way, and one in which I'm only half sure I've covered all the bases that a true ly unredeeamable paranoid might require... :)]

Check it out people:

http://www.snopes.com/crime/warnings/creditcard.asp

Check it out people:

http://www.snopes.com/crime/warnings/creditcard.asp
And this changes what? Seems to verify what my DIL told me, yes??

And this changes what? Seems to verify what my DIL told me, yes??

Why do you take everything as an attack on you? Perhaps she was corroborating your story?

These chain emails usually are. I hate them with a passion. We had this stupid one recently, sent out on our network by someone who didn't check her facts first...it was that urban myth one about gang members driving at night with no headlights on, and then killing the first person who flicked their beams to warn them...I live in a very rural area, with little traffic, and no real gang activity outside of 11 year olds hanging out at the CO-OP. What a stupid email...and dumb people got all upset about it. You'd think they'd realise...hey, we haven't heard of any shooting deaths (beside the one that claimed the lives of four RCMP officers recently), so maybe this is crap?

O my the gang bangers with their headlights off. I have not heard that one in years. lol
My favorite internet chain mail hoax has always been the on about kids dieing from the snakes in the ball pit at Burger King/Herion neddles in the ball pit at McDonalds
I find so funny that people belived that stuff from just an e-mail. And then they stand there with a blank look on their face when I ask, If this really happened don't you think it would have made national headlines, and been the top story on every news show?
lol

Jesus Stephie. If I said it was raining you would run outside with your face skyward.

Yeah ... my daughter-in-law hoaxed me. She lied to me just for the hell of it.

I don't think she was trying to insinuate that at all. What I understood from your original message was that your daughter-in-law had forwarded this to you as something she received from a friend who'd received it from another friend and so on down the line. In such instances, it often seems as though the message is true, when there may be more than meets the eye. It doesn't seem as though Stephistan was trying to say your daughter-in-law intentionally hoaxed you, but that perhaps this is a case where the message looked real enough to be passed on. Given the same information, I could well have made the same assumption.

However, since you have said that it is your daughter-in-law and not some stranger who experienced this, it does lend the story a little more credence. Although it is interesting that it is nearly word for word the same email that is quoted on snopes.com (considered the internet's foremost source of hoaxes. Incidentally, Muntoo linked to the snopes.com page on this particular email, where it has been said to be possible.)

Is it possible that your mistook a forward from your daughter-in-law to be an email directly from her?

And, just to clarify even further, so that there is NO misunderstanding, the email is original with her ... she was the one who was scammed.

You actually say very little, and they never ask for or tell you the card number. But after we were called on Wednesday, we called back within 20 minutes to ask a question. Are we glad we did! The REAL VISA security dept. told us it was a scam and in the last 15 minutes a new purchase of $497.99 WAS put on our card.

You actually say very little, and they never ask for or tell you the Card number. But after we were called on Wednesday, we called back within 20 minutes to ask a question. Are we glad we did! The REAL VISA Security Department told us it was a scam and in the last 15 minutes a new purchase of $497.99 was charged to our card.

Uncanny.

I don't think she was trying to insinuate that at all. What I understood from your original message was that your daughter-in-law had forwarded this to you as something she received from a friend who'd received it from another friend and so on down the line. In such instances, it often seems as though the message is true, when there may be more than meets the eye. It doesn't seem as though Stephistan was trying to say your daughter-in-law intentionally hoaxed you, but that perhaps this is a case where the message looked real enough to be passed on. Given the same information, I could well have made the same assumption.

However, since you have said that it is your daughter-in-law and not some stranger who experienced this, it does lend the story a little more credence. Although it is interesting that it is nearly word for word the same email that is quoted on snopes.com (considered the internet's foremost source of hoaxes. Incidentally, Muntoo linked to the snopes.com page on this particular email, where it has been said to be possible.)

Is it possible that your mistook a forward from your daughter-in-law to be an email directly from her?
It's possible, yes. I'll ask her the next time I talk to her. The copy I got showed that she had sent it to all the people in her department at the mattress manufacturer where she works. Perhaps I misunderstood. If so, my apologies.

Uncanny.
Sigh. Ok, so I may have misunderstood. So sue me.

Sigh. Ok, so I may have misunderstood. So sue me.

Matters naught to me, but you did seem to be a touch off-hand to Sinuhue and Stephistan there when they raised their suspicions.

Matters naught to me, but you did seem to be a touch off-hand to Sinuhue and Stephistan there when they raised their suspicions.
True. I have a tendency to react to each of them that way.

Sigh. Ok, so I may have misunderstood. So sue me.

Why sweat the interpersonal stuff? Over 200 people viewed your thread, you may have saved them a problem. Thanks for posting it.

Like cars or houses or college. Who needs those?

You don't need a credit car for cars or houses or college or furniture or appliances or so on and so forth. You just need good credit.

Good credit doesn't necessarily require a credit card. It's harder to get without one, but it mostly involves you paying your bills on time. Another way around not having a credit card would be to have a co-signer.

lol If somebody asked me for anything about my credit card over a phone, and I didn't call them, I would have just laughed at them.

I could see it now, "Right so my numbers are 6666666, does that sound good to you?"

True. I have a tendency to react to each of them that way.

You should apologise for lashing out at them as this did, in fact, not originate with your daughter-in-law. Your indignation was unwarranted.

I pay for everything with mischief. :)

Sigh. Ok, so I may have misunderstood. So sue me.

*sues Eut for all he has, including a cpl of those girls he posted pics of in the babe thread*

:D

lol If somebody asked me for anything about my credit card over a phone, and I didn't call them, I would have just laughed at them.Therein lies the point I think I was trying to make. A little prevention goes a long way. I'd either just hang up on the caller or I'd say, "I'm sorry, I can't give you that information." And THEN hang up.

The whole forward had the feeling of truth to me and I'm usually one of the most skeptical people around. I blame my journalism background for that, but Eutrusca's post just screamed out to me that this was no hoax.

Therein lies the point I think I was trying to make. A little prevention goes a long way. I'd either just hang up on the caller or I'd say, "I'm sorry, I can't give you that information." And THEN hang up.

The whole forward had the feeling of truth to me and I'm usually one of the most skeptical people around. I blame my journalism background for that, but Eutrusca's post just screamed out to me that this was no hoax.

Yeah, unless I call VISA and they then ask for my information, there is no way in hell I'm giving my information over a telephone. Silly People...

Yeah, unless I call VISA and they then ask for my information, there is no way in hell I'm giving my information over a telephone. Silly People...
There are a couple of very important "rules of thumb" to remember when dealing with people on the phone when it relates to anything to do with banks.

NUMBER ONE WITH A BULLET never, never, never use the word "YES" in a conversation with a telephone sales/service person. Audio software is too good these days, and saying "YES" to anything is equivilant to saying "YES" to everything. Say "That is my address" or "That is my number" or "I authorize the purchase of..."

#2 is: Never answer anything at all on an incomming sales/service call if possible. Don't even acknowledge they have the right phone number if you can avoid it. Always take a name and "call back". Even if you have to pay long distance to do it, it's worth it to avoid Fraud.

I like the idea of having a public/private encryption type security system in non volatile memory on the cards smart chip, that way you can hand out the public code all you want but without the private code any potential phishers are sunk. ANd just to idiot proof it, people shouldn't be told or have anyway to access there private code, it should be randomly assigned them by some sort of TAPDANCE type one time system so that not only are no two codes the same but theres no mathematical function that can be applied to 'counterfeit' a private code.

Or, with recent developments in biometric security, your thumbprint could be your credit card, instead of sliding a card through a reader, just slap your thumb down, reader could incorporate a variety of measures to ensure that theres a 'real' thumb behind the print and not even a polymer (or rubber) false pad worn over a thumb.

And this changes what? Seems to verify what my DIL told me, yes??


Well, kind of. :)

You see, my younger sister is monumentally naive, and sends me urban legend type emails ALL THE FRIGGIN' TIME! So at this point whenever I see anything that starts with "I got this in my email" I automatically check Snopes.

But also because Snopes always has the latest news on frauds, cons, worms, hoaxes,trojan horse viruses, etc. and I trust their judgement. I figured it couldn't hurt if people knew for sure that you and your DIL weren't being hoaxed.

Therein lies the point I think I was trying to make. A little prevention goes a long way. I'd either just hang up on the caller or I'd say, "I'm sorry, I can't give you that information." And THEN hang up.

i reckon the best thing to do is give deliberatly false (but realistic) info, that way they'll use the card and get caught.

You don't need a credit car for cars or houses or college or furniture or appliances or so on and so forth. You just need good credit.

Good credit doesn't necessarily require a credit card. It's harder to get without one, but it mostly involves you paying your bills on time. Another way around not having a credit card would be to have a co-signer.
You also have to incur debt. My parents don't like loans (they try to pay with cash whenever possible) and pay them off as quickly as possible. My mother recently found out that she was a "credit risk" because they wouldn't earn much money off of her.

On-topic:
The moral of the story is: never give information. Ever. For any reason. If they contact you, your answers should consist of either "yes" or "no". Nothing else.
Works great for cold-callers too.
"No, no, no, no, no, no, no, no, yes, no, yes, yes, no, no, no, goodbye." :p

This security code is on the back of credit cards and debit cards. Most are the last 4 digits of your card number followed by a 3 or 4 digit number. These last digits are the proof that the card is in your possession. Like many people, we have a credit card for emergencies and for reimbursable travel for work. Most of our day-to-day transactions, though, we do with our debit cards. They're quicker and easier than writing checks. From my own experience as a card holder and having been over the credit card transaction department of a major company, here are a few pieces of info...

Never, NEVER give your card info to an unknown caller.

Most POS (point of sale) locations only print out the last 4 digits of your card number on the receipt. Always check to make sure your entire card number is not printed. If it is, mark through all but the last 4 digits on the merchant's copy. Ask to speak to the manager and voice your concerns.

I don't know of any online sellers or phone solicitors who only require your card number and expiration date. If a card is not physically present to be swiped through a POS machine, the issuing companies require extensive proof of authorized user ID. Internet and phone order transactions require:
1. Card number
2. Expiration date
3. Zip or postal code for card's billing address
4. 3 or 4 digit security code on back of card
5. Cardholder's name exactly as it appears on the front of the card

Your social security number is never used as positive identification when using a card. Never give it out. Also, when using a debit card, never give your PIN number to anybody ever!! When entering your PIN into a POS device, shield the keypad from others' view.

If your card is lost or stolen do the following:
1. Cancel your credit card immediately. Have the toll free numbers and your card numbers handy so you know whom to call. Keep those where you can find them. Place the contents of your wallet on a photocopy machine. Do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Keep the photocopy in a safe place.
2. File a police report immediately in the jurisdiction where your credit cards, etc. were stolen. This proves to credit providers you were diligent, and this is a first step toward an investigation.
3.Call the 3 national (US) credit reporting organizations immediately to place a fraud alert on your name and Social Security number. The alert means any company that checks your credit knows your information was stolen, and they have to contact you by phone to authorize new credit.

All of the major credit card issuers have a "charge back" policy. If you find a fraudulent charge, contact the issuer. They can issue a retrieval notice to the merchant requiring documentation of a signed charge slip or a signature on file. Failure to provide proof of authorized use can result in the transaction being "charged back"...debited from the merchant's account and credited to your account.

Don't get upset or rude when a merchant asks for photo ID when using your card. It's as much for your protection as theirs. If it is available, have your picture on your card. Most banks offer this security feature.

Even if you take all of these precautions, you may still suffer an unauthorized use of your card. For every security precaution added, there are at least 10 ways to get around it. If you follow these suggestions, though, chances are a potential thief will take the easier route and prey on someone who doesn't protect their account as well. If you do have unauthorized useage here are the phone numbers (US) you need to have handy:

Equifax: 1-800-525-6285
Experian (formerly TRW): 1-888-397-3742
Trans Union: 1-800-680-7289
Social Security Administration (fraud line): 1-800-269-0271

Edit: I forgot to mention, when using a credit or debit card, always verify the amount being charged. Also, when your card is returned to you, look at it and make sure it is yours. Some less than honest clerks have switched cards.

NUMBER ONE WITH A BULLET never, never, never use the word "YES" in a conversation with a telephone sales/service person. Audio software is too good these days, and saying "YES" to anything is equivilant to saying "YES" to everything. Say "That is my address" or "That is my number" or "I authorize the purchase of..."




Never thought of it like that. I'll try to follow this advice.

And how about this - you give your credit to the salesperson. They disappear somewhere to process your credit card transaction (out of your sight) and return. They could have actually done the transaction you want and then slide your card on a card reader on a small portable handheld PC. So make sure you see what they doing with your credit card.

Spyniks & Juruselem...both very good points and not ones that people would normally think of. Scammers always seem to have an unlimited supply of ideas.

I don't understand how this is done, I shop often online with my credit card and the one thing you must know to use your card is the month and year of the expiration date of the card. Without this information no one can use your card. So, perhaps this letter about this scam is nothing more than a hoax?

If you are able to process transactions with only this information and the merchant does not have your signature (authorization) on file, I suggest you stop doing business with them immediately. Somehow they have figured out how to bypass security measures set up by the card issuers. With this lack of ethics, I certainly wouldn't want them to have my account info. Maybe you should cancel your existing credit card(s) and have new ones issued.

Issuers used to ask the merchant to confiscate a card that was lost, stolen, or over the limit. Some unscrupulous people have used this ploy to "steal" a person's card. If someone should claim that they are authorized to confiscate your card, have them cut it up in your view. If they refuse, call the police.

Oh and those wonderful India call centres, we all love?
Since those employees have access to private information on corporate databases, those who are corrupt (India, corruption? never ...) can just basically go steal this information and con some more information out of the customers.

Oh and those wonderful India call centres, we all love?
Since those employees have access to private information on corporate databases, those who are corrupt (India, corruption? never ...) can just basically go steal this information and con some more information out of the customers.

Don't get me started on the call centers in India. As soon as I hear the accent I start giving them phony info. Let them pay for an international call and then find out that there is no Helen Waite in Mytown USA. :mad:

Off the subject, but, you list your location as in the Holy Father's office. Really?

Don't get me started on the call centers in India. As soon as I hear the accent I start giving them phony info. Let them pay for an international call and then find out that there is no Helen Waite in Mytown USA. :mad:

Off the subject, but, you list your location as in the Holy Father's office. Really?

If I was the Pope's secretary, I'd be a full on Catholic (which I am not).
On the other hand, I wouldn't mind getting a few emails from God ...